[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: /dev/vcs* perms (was: Re: should fte provide /usr/bin/editor?)



Miquel van Smoorenburg writes:
 > >Login does something different: it can optionally put someone who logs in
 > >in certain groups. In /etc/login.defs I have the following line:
 > >
 > >CONSOLE_GROUPS          floppy:audio:cdrom
 > >
 > >This puts everyone who logs in on the console in groups floppy, audio and
 > >cdrom. Now if only xdm could do the same for everyone who logs in on
 > >the local console...
 > 
 > So, I can login on the console, copy a shell to /tmp, and do:
 > 
 > chgrp audio /tmp/bash
 > chmod 2775 /tmp/bash
 > 
 > and then I can use /dev/audio (+cdrom+floppy) even when I'm not logged
 > in on the console.
 > 
 > Looks like a security hole to me.

Sure. Maybe it should be better to mix the 2 ideas; ie. hacking PAM,
but to make it handle the perms in /dev (ala Solaris or so) instead of
the group. That's exactly what we want, anyway.

-- 
Yann Dirson  <dirson@univ-mlv.fr>        | Stop making M$-Bill richer & richer,
alt-email: <ydirson@a2points.com>        |     support Debian GNU/Linux:
                                         |         more powerful, more stable !
http://www.a2points.com/homepage/3475232 |
		    -----------------------------------------
		    A computer engineer's looking for a job !
		    -----------------------------------------


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .


Reply to: